The Fortigate has the following configuration (showing only the relevant part).
config system interfaceedit "wan1"
set ip 10.1.1.1 255.255.255.0
set type physical
set inbandwidth 1024
set outbandwidth 1024
next
edit "internal1"
set ip 20.1.1.1 255.255.255.0
set allowaccess https ssh snmp
set type physical
next
edit "internal5"
set ip 30.1.1.1 255.255.255.0
set allowaccess ping
set type physical
next
end
config firewall shaper traffic-shaper
edit "client-guarantee-800kbps-high"
set guaranteed-bandwidth 800
set maximum-bandwidth 1024
set per-policy enable
next
edit "crew-guarantee-400-medium"
set guaranteed-bandwidth 200
set maximum-bandwidth 1024
set priority medium
next
end
config firewall policy
edit 1
set srcintf "internal1"
set dstintf "wan1"
set srcaddr "client-10.1.1.0/24"
set dstaddr "all"
set action accept
set schedule "always"
set service "FTP_GET"
set logtraffic all
set traffic-shaper "client-guarantee-800kbps-high"
set nat enable
next
edit 2
set srcintf "internal5"
set dstintf "wan1"
set srcaddr "crew-20.2.2.0/24"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set traffic-shaper "crew-guarantee-400-medium"
set nat enable
next
end
The following chart displays the utilization of the WAN link during the upload/download test. The link was fully utilised all the time, regardless of which internal link was used or the direction of the traffic.
The next charts display the link utilisation via both LAN ports internal1 (client) and internal5 (crew) while the FTP downloads were running either simultaneously on both LAN networks or was stopped on the different subnets.
The following events took place on the 2 links that are marked with the text boxes.
1. Started the FTP download on both of the links and the traffic-shaping policies kicked in. The download was started first by a few minutes on the client link, the default priority 0 (High) was assigned to the traffic and the download could use the full 1 Mb link speed.
When the download started on the crew link, both of them automatically were shaped to the configured value.
2. Downloading was stopped on the crew network and again the client network could use the 1 Mb external bandwidth until the download was restarted again.
The high-priority sessions were already running on the client-link, and as the result they took priority over the crew download and that subnet could only use the guaranteed limit (200 kbps).
3. FTP was stopped on the client link. The crew could access more bandwidth as only casual web browsing, etc. was happening on the client link.
The crew could push the link usage up to 500 kbps until the FTP session was restarted again.
4. When the FTP session was restarted on the client link, the shaping policy kicked in again to allocate the guaranteed 800 kps limit to the requests.
The rest of the requests on the medium-priority crew link was shaped back.
5. Download finished on the high-priority client-link and the download on the medium-priorty link could have more bandwidth again.
For more information on Traffic Shaping and priority configuration, refer to the following documents on the Fortinet Document Library web site:
- FortiOS 5.0 or 5.2 Handbook.
- FortiOS Traffic Shaping guide.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.